History
of the Federal Computer Incident Response Capability (FedCIRC) Pilot

June 1996 through September 1998

In April 1996 NIST proposed to the Government Information Technology
Services Board (GITS) a government-wide computer security incident response
capability. The capability would be administered by the National Institute
of Standards and Technology (NIST) and operated by the Department of Energy's
Computer Incident Advisory Capability (CIAC) and the CERT(SM) Coordination
Center (CERT/CC). By utilizing two existing teams, CIAC and the CERT/CC,
an immediate response capability would be provided. NIST's role was to
facilitate incident handling for the federal agencies by providing standards,
guidance, and mechanisms for sharing information.

The need for an incident handling capability that crossed agency boundaries
had never been greater. Most federal agencies were connected to the Internet
and exchanged information regularly. The number of Internet related incidents
that occurred in 1995, along with the increase and complexity of threats,
required agencies to take seriously their incident handling capabilities.
The Office of Management and Budget emphasized this need in OMB Circular
A-130, Appendix III, by requiring agencies to be able to respond in a manner
that both protects their own information and helps to protect the information
of others who might be affected by the incident. The private sector was
undergoing the same rapid growth in network dependency as the Federal community
and needed the same incident handling support. Several private sector organizations
foresaw the need and began to offer incident handling services.

The Presidential Commission for Infrastructure Protection also saw the
necessity for the Federal community to be able to deal effectively and
efficiently with threats to their information technology. The Commission
recommended the establishment of a capability that would coordinate with
other Federal initiatives, when necessary, to analyze and resolve the threats
to the critical information technology infrastructure.

During the FedCIRC pilot's short existence, much was accomplished towards
realizing the FedCIRC mission. FedCIRC assisted in over eighteen hundred
incidents which impacted thousands of sites world wide. FedCIRC devoted
a significant portion of its two years to educating the federal community
by holding twenty-two workshops/seminars on incident handling and incident
prevention. The web site was accessed a half-million times. The site contained
an interactive tools database and virus database as well as other relevant
information and resources for incident handling. FedCIRC handled thousands
of e-mail messages and hot-line calls requesting information and guidance.

In addition to the above activities, the energies and resources of the
FedCIRC team were focused on informing potential clientele about the program
and on obtaining funding for continued fiscal health. The two-fold problem
of educating the consumer and soliciting sponsorship was costly and side-stepped
the real FedCIRC emphasis of providing incident handling for the Federal
civilian government.

FedCIRC revenue generation was built on a subscription model. The FedCIRC
collaborators found, however, that a subscription model as a means of funding
an incident response (IR) team was inappropriate and unworkable. Two points
were clear from using this model to acquire funds for FedCIRC. The first
point was that eighteen months (i.e., the initial and follow-on GITS funding)
was too short a time to make FedCIRC self-supporting financially. The FedCIRC
pilot demonstrated valuable output and assistance in the short time it
was operational. FedCIRC garnered verbal support and enthusiasm for its
program of work. FedCIRC could not, however, overcome fiscal bureaucracies,
budget cycles, and shrinking dollars within such a short time frame. The
second, and arguably the more important, point was the dichotomy which
existed between the expectations of subscribers for special attention and
the need of the electronic community for trouble-free networking. Most
incidents involve multiple sites. FedCIRC assistance needed to be available
to all Federal civilian agencies, not just available to subscribers.

In an ideal world, all agencies would help pay for FedCIRC support.
Like a fire department that responds to any and all fires and not just
to taxpayers' blazes, an IR team needs to help wherever problems exist,
not merely to help with subscriber incidents. Incident response is not
a stand-alone operation. While subscribers expected special attention,
the reality of incident response required that FedCIRC help all organizations
involved in an incident. Involving only the subscribers in attempting to
resolve incidents likely meant FedCIRC could not reach the site the penetrator
was using or get key information needed to understand how the intruder
was breaking in or what new vulnerabilities were being exploited. A stable
funding source was required to make FedCIRC a success. Again, the fire
station model should be used: the station responds to all requests to put
out fires (in a priority order based on need), not just to requests from
those who have paid for fire protection.

In January 1998, the Chief Information Officer's (CIO) Council Security
Committee began reviewing FedCIRC operations. The Committee agreed that
FedCIRC services were needed for all Federal civilian agencies and requested
that the General Services Administration become the manager of the initiative.
Working closely with the GSA team, the FedCIRC pilot team of NIST, CERT/CC,
and CIAC ensured that most of the services provided by the pilot would
continue in the GSA/FedCIRC.

On October 1, 1998, the new GSA program became operational. The capability
is available twenty-four hours a day, alerts are being issued, a web site
is maintained, training courses are planned, and specific services (e.g.,
forensic support) can be procured through GSA.